-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
SingCERT Advisory SA-98.04.rpcbind_information
Original issue date:  11 November, 1998

Topic: ONC rpcbind information 
- ---------------------------------------------------------------------------

     Recently, SingCERT has received a number of queries relating to the
security implications of running rpcbind and portmapper (both ONC 
RPC services). Below is a summary of the public information available
concerning its security.

    SingCERT recommends sites to take the necessary steps outlined in 
section 3 to evaluate their systems. 

- ---------------------------------------------------------------------------

1.  Introduction

Rpcbind is a server which helps in locating RPC service requests to its 
relevant transport endpoint. Rpcbind uses a transport-independent format, 
also known as a universal address format, for identifying the transport 
address which the relevant RPC service is listening.

Port Mapper Program protocol is an older version of rpcbind protocol which
maps RPC program and version number directly to a TCP or a UDP transport.

When a RPC server is started, it registers with rpcbind what transport
endpoint it is listening to, and what RPC program numbers it is prepared to 
serve.  When a client wishes to make an RPC call to a given program number, 
it first contacts rpcbind on the server machine to determine its transport
endpoint, where RPC packets should be sent. 

To facilitate in dynamic binding of RPC programs, rpcbind program is 
bounded to a well-known address of each supported transport to make these 
RPC program information publicly available.

2.  Security Implications

Running rpcbind on a publicly accessible transport implies that these bind 
information are available to all nodes reachable by the transport.
The original distribution of ONC RPC, referenced in [1], the rpcbind do not 
have a mechanism for access control on source address.

Host running on rpcbind version derived directly from [1], runs into risk of
exporting its RPC information over the internet. The table below lists
these public information. 

                   [TABLE 1] RPC bind public information 
===========================================================================
Information                          |Program  |    Version/Service           
                                     |number   |                          
- ---------------------------------------------------------------------------
a. These services return a list of   |RPCBPROG |   3    RPCBPROC_DUMP     
all RPC programs registered in the   |         |                               
rpcbind/portmapper database          |         |   4    RPCBPROC_DUMP     
                                     |         |                           
                                     |PMAP_PROG|   2    PMAPPROC_DUMP    
- ---------------------------------------------------------------------------
b. These services return  statistics |RPCBPROG |   3    RPCBPROC_GETTIME  
such as the time, activities of the  |         |   4    RPCBPROC_GETTIME  
rpcbind server.                      |         |   4    RPCBPROC_GETSTAT  
                                     |         |                          
- ---------------------------------------------------------------------------
c. These services allow  the         |RPCBPROG |   3    RPCBPROC_CALLIT   
fowarding of RPC service requests    |         |                           
as though they were coming from the  |         |   4    RPCBPROC_BCAST    
local system. These allow the        |         |                            
attackers to bypass IP based         |         |   4    RPCBPROC_INDIRECT 
authentication checks to invoke the  |         |                           
RPC service directly.                |PMAP_PROG|   2    PMAPPROC_CALLIT   
- --------------------------------------------------------------------------
d. This procedure returns the list   |RPCBPROG |   4   RPCBPROC_GETADDRLIST
of address the client may be used to |         |                              
determine the alternate transport    |         |                           
used to communicate with the server. |         |                           
===========================================================================

These information can be used to survey your hosts for vulnerable 
RPC services and extract service information relating to the host.

3.  Evaluation

To check if your rpcbind service is exportable over the internet,
you can compile and run the following user space program from an external
host. This program is adapted directly from TIRPCSRC 2.3, referenced in [1]
It runs on Solaris 2.3 and above. 

ftp://ftp.singcert.org.sg/pub/SingCERT/singcert_advisories/source/
rpcbindinfo.tar.gz              md5=ed82bcd2c0ae16bfd18992cb061d301b

a.  To list all RPC program registered in RPC bind database, as described in  
in table 1.a.

    /* syntax: rpcinfo -s [hostname] */
    $ rpcinfo -s host
    program version netid    address          service    owner
    100000    4    ticots    host.rpc         rpcbind    superuser
    100000    3    ticots    host.rpc         rpcbind    superuser
    100000    4    ticotsord host.rpc         rpcbind    superuser
    100000    3    ticotsord host.rpc         rpcbind    superuser
    100000    4    ticlts    host.rpc         rpcbind    superuser
    100000    3    ticlts    host.rpc         rpcbind    superuser
    
    /* Another returned format, depending on the version of rpcbind ran */
    program version(s) netid(s)                        service     owner
    100000  2,3        ticlts,ticots,ticotsord,tcp,udp rpcbind superuser

b. To return the statistics of the RPC server, as described in table 1.b.

    /* syntax: rpcinfo -m hostname */
    $ rpcinfo -m host
    PORTMAP (version 2) statistics
    NULL    SET     UNSET   GETPORT         DUMP    CALLIT  
    0       0/0     0/0     18091/18177     6       0/8     

    PMAP_RMTCALL call statistics
    prog		vers	proc	netid	success	failure
    bootparam       1	1	udp	0	8

    PMAP_GETPORT call statistics
    prog		vers	netid	  success	failure
    1342177280      4	tcp	  5           	0

    RPCBIND (version 3) statistics
    NULL    SET     UNSET   GETADDR DUMP    CALLIT  TIME    U2T     T2U     
    0       0/0     0/0     0/0     10      0/4     0       0       0       

    RPCB_RMTCALL (version 3) call statistics
    prog		vers	proc	netid	success	failure
    bootparam       1	1	udp	0	4

    RPCBIND (version 4) statistics
    NULL    SET     UNSET   GETADDR DUMP    CALLIT  TIME    U2T     T2U     
    0       196/197 150/150 6/8     0       0/0     0       0       0       
    VERADDR INDRECT GETLIST GETSTAT 
    0       0       8       2       

c. To check for RPC service forwarding in rpcbind version 4, you can 
find out whether CALLIT and INDIRECT services are returned from results in 3.b.

Another test for BCAST service is to check run rpc_bcast program enclosed
in the package above. 

d. To return the list of available transport for the service, described 
in table 1.d.

    /* syntax: rpcinfo -l hostname prognum versnum  */
    $ rpcinfo -l localhost  100000 4 
    program vers  tp_family/name/class    address                 service
    100000  4    inet/tcp/cots_ord       127.0.0.1.0.111          rpcbind      
    100000  4    inet/udp/clts           127.0.0.1.0.111          rpcbind   


4.  Preventive Methods

4.1   To prevent exposing RPC bind information over the internet, all 
rpcbind service requests should be restricted within the local area network 
protected by the firewall. One method is to block incoming external request 
bounding for rpcbind. E.g. Drop IP datagrams binding for TCP/UDP port 111.

4.2   Another method is to apply access control on source IP addresses for
all rpcbind service requests. One of such fix is to install Wietse 
Venemia's replacement rpcbind package redistributed by SingCERT at address 
below:

ftp://ftp.singcert.org.sg/pub/SingCERT/singcert_advisories/source/
rpcbind_2.tar.gz              md5=a568d35557db4a953ead2150375a7d01

Another fix will be to activate the IP access control mechanism as
described in our vendor's RPC distribution. 

5.  References

[1] Sun Mircrosystems, "TIRPCSRC 2.3", 
    ftp://playground.sun.com/pub/rpc/tirpcsrc2.3.tar.Z,  29 Aug 1994

[2] Srinivansan, R., "RFC 1833: Binding Protocols for ONC RPC Version 2", 
    Aug 1995
    
- -------------------------------------------------------------------------
SingCERT Contact Information
- -----------------------------
Email   cert@singcert.org.sg

Phone   +65 874-6666 (Office Hours Hotline)
           SingCERT personnel answer 8:30-5:00 p.m. SGT(GMT+8)

Fax     +65 872-6198

Postal address
        SingCERT
        3rd Floor Computer Centre
        National University of Singapore
        10 Kent Ridge Crescent
        Singapore 119260

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We
   support PGP. Contact SingCERT for more information.
   Location of SingCERT PGP key
         http://www.singcert.org.sg/asc/singcert.asc

Getting security information
   SingCERT publications and other security information are available from
        http://www.singcert.org.sg/
        ftp://ftp.singcert.org.sg/pub/

   To be added to our mailing list for advisories and bulletins, send an
empty
   email message to
        singcert-advisory-subscribe@singcert.org.sg


- -----------------------------------------------------------------------------
Copyright 1998 SingCERT.
- -----------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNkujAHr03uiLwmvpAQHpRAP/Q+LHxn/f3iFq3kS2l+vnMg/uv5+KrJKr
m6lIxPf5T0aEWx4Khh70LHWADhfYhxQUNBDfVo45QVl7W8evIbSbsjLl5EoN6U3I
/ZFr7iSOcMVDo1FBayF2SfDbuicFbs6DKoxYdcN1qBG5B+f+3bJ4/b5uGJPlJhBq
Me9z2YyRVDA=
=c+r0
-----END PGP SIGNATURE-----